PDA

View Full Version : Cannot log into LDAP/eDirectory from a SLES 11 -machine



slacktom
20-Sep-2011, 09:56
Hi!

I have set up a SLES 11-machine to be an LDAP-client.
Everything went fine installing it, and with the LDAP-browser
i can browse the whole LDAP-tree with users and attributes.
I have set up the LDAP-client to create new home directories
when a first-time user logs on.
However, when I try to log in with an LDAP-valid user name
I get the following error "User not known to underlying authentication
module".
This (I believe) must be a PAM-related error, but I just cant figure
out how to configure
the PAM-related modules; common-auth,common-password and
common-session.
These file looks like this:

/etc/pam.d/common-auth:

# This file is autogenerated by pam-config.
# Authentication-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass

/etc/pam.d/common-passwd:

# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
password requisite pam_pwcheck.so nullok cracklib
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok

/etc/pam.d/common-session:

# Session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be
performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive
#
session optional pam_mkhomedir.so
session required pam_limits.so
session required pam_unix2.so
session optional pam_ldap.so
session optional pam_umask.so

/etc/pam.d/login:

#%PAM-1.0
auth requisite pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad] pam_securetty.so
auth include common-auth
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session required pam_lastlog.so nowtmp
session optional pam_mail.so standard
session optional pam_ck_connector.so


I'm stuck with this so any help or hints is appreciated.


--
slacktom
------------------------------------------------------------------------
slacktom's Profile: http://forums.novell.com/member.php?userid=116945
View this thread: http://forums.novell.com/showthread.php?t=444975

friedl jan
21-Sep-2011, 08:36
Hi,
check, if you have in the /etc/nsswitch.conf these lines:
passwd: compat
group: files ldap
passwd_compat: ldap


you can check your configuration with "getent passwd". This list all
users, witch are able to login. ;-)


--
Honzik
------------------------------------------------------------------------
friedl_jan's Profile: http://forums.novell.com/member.php?userid=56174
View this thread: http://forums.novell.com/showthread.php?t=444975

slacktom
23-Sep-2011, 08:46
friedl_jan;2139330 Wrote:
> Hi,
> check, if you have in the /etc/nsswitch.conf these lines:
> passwd: compat
> group: files ldap
> passwd_compat: ldap
>
>
> you can check your configuration with "getent passwd". This list all
> users, witch are able to login. ;-)

Best Honzik
Thank you for your reply!
Unfortunately it doesnt work with adding "passwd_compat: ldap" to the
nsswitch.conf file.

My nsswitch.conf looks like this now :

# /etc/nsswitch.conf

# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat
passwd_compat: ldap
group: files ldap
shadow: files ldap

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 mdns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: ldap

Still getting the same error when trying to login: "User not known to
the underlying authentication module"
By the way : The 'getent passwd' only return the local users in
/etc/passwd. No users on the LDAP-server
get listed.

Best Regards,
slacktom


--
slacktom
------------------------------------------------------------------------
slacktom's Profile: http://forums.novell.com/member.php?userid=116945
View this thread: http://forums.novell.com/showthread.php?t=444975

friedl jan
23-Sep-2011, 08:46
Hi slacktom,

here is my SLES 11 nsswitch.conf, witch is OK. ;-)

passwd: compat
group: files ldap

hosts: files dns
networks: files dns

services: files ldap
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files ldap
publickey: files

bootparams: files
automount: files nis
aliases: files ldap
passwd_compat: ldap



slacktom;2140166 Wrote:
>
> By the way : The 'getent passwd' only return the local users in
> /etc/passwd. No users on the LDAP-server get listed.
>

That is the problem, getent list all users, witch are able login. ;-)


--
Honzik
------------------------------------------------------------------------
friedl_jan's Profile: http://forums.novell.com/member.php?userid=56174
View this thread: http://forums.novell.com/showthread.php?t=444975